El. knyga: WarDriving and Wireless Penetration Testing

Introduction to WarDriving and Penetration Testing		1	(30)
Introduction		2	(1)
WarDriving		2	(1)
The Origins of WarDriving		3	(2)
Definition		3	(1)
The Terminology History of WarDriving		3	(1)
WarDriving Misconceptions		4	(1)
The Truth about WarDriving		4	(1)
The Legality of WarDriving		5	(1)
Tools of the Trade or ``What Do I Need?''		5	(9)
Getting the Hardware		6	(1)
The Laptop Setup		6	(1)
The PDA or Handheld Setup		7	(1)
Choosing a Wireless NIC		8	(1)
Types of Wireless NICs		9	(2)
Other Cards		11	(1)
External Antennas		11	(1)
Connecting Your Antenna to Your Wireless NIC		12	(1)
GPS		13	(1)
Putting It All Together		14	(6)
Disabling the Transmission Control Protocol/Internet Protocol Stack in Windows		15	(2)
Disabling the TCP/IP Stack on an iPAQ		17	(2)
A Brief History of Wireless Security		19	(1)
Penetration Testing		20	(5)
Understanding WLAN Vulnerabilities		21	(1)
Penetration Testing Wireless Networks		21	(1)
Target Identification		22	(1)
Attacks		23	(2)
Tools for Penetration Testing		25	(1)
Conclusion and What to Expect From this Book		26	(1)
Solutions Fast Track		27	(2)
Frequently Asked Questions		29	(2)
Understanding Antennas and Antenna Theory		31	(32)
Introduction		32	(3)
Wavelength and Frequency		32	(3)
Terminology and Jargon		35	(8)
Radio Signal		36	(1)
Noise		36	(1)
Decibels		37	(2)
Gain		39	(1)
Attenuation		39	(1)
Signal-to-noise Ratio		40	(1)
Multipath		40	(1)
Diversity		40	(1)
Impedance		41	(1)
Polarization		41	(1)
Cable		42	(1)
Connectors		43	(1)
Differences Between Antenna Types		43	(10)
Omnidirectional Antennas		44	(1)
Omnidirectional Signal Patterns		44	(2)
Directional Antennas		46	(1)
Directional Antenna Types		47	(1)
Grid		47	(1)
Panel		48	(1)
Waveguide		48	(1)
Bi-Quad		49	(1)
Yagi Antenna		50	(3)
Directional Signal Patterns		53	(1)
Other RF Devices		53	(6)
RF Amplifiers		53	(1)
Attenuators		54	(1)
How to Choose an Antenna for WarDriving or Penetration Testing		55	(1)
WarDriving Antennas		56	(1)
Security Audit/Rogue Hunt and Open Penetration Testing		57	(1)
``Red Team'' Penetration Test		57	(1)
Where to Purchase WiFi Antennas		58	(1)
Summary		59	(1)
Solutions Fast Track		59	(1)
Frequently Asked Questions		60	(3)
WarDriving With Handheld Devices and Direction Finding		63	(30)
Introduction		64	(1)
WarDriving with a Sharp Zaurus		64	(15)
Installing and Configuring Kismet		65	(4)
Configuring the Wireless Card to Work with Kismet		69	(3)
Starting Kismet on the Zaurus		72	(1)
Using a GPS with the Zaurus		73	(2)
Starting GPSD		75	(1)
Using a Graphical Front End with Kismet		76	(2)
Using an External WiFi Card with a Zaurus		78	(1)
WarDriving with MiniStumbler		79	(8)
Wireless Ethernet Cards that Work with MiniStumbler		80	(1)
MiniStumbler Installation		81	(1)
Running MiniStumbler		82	(3)
MiniStumbler Menus and Tool Icons		85	(1)
Using a GPS with MiniStumbler		86	(1)
Direction Finding with a Handheld Device		87	(3)
Summary		90	(1)
Solutions Fast Track		91	(1)
Frequently Asked Questions		92	(1)
WarDriving and Penetration Testing with Windows		93	(26)
Introduction		94	(1)
WarDriving with NetStumbler		94	(5)
How NetStumbler Works		94	(2)
NetStumbler Installation		96	(3)
Running NetStumbler		99	(9)
NetStumbler Menus and Tool Icons		105	(2)
Toolbar Icons		107	(1)
Wireless Penetration Testing with Windows		108	(9)
AirCrack-ng		109	(3)
Determining Network Topology		112	(1)
Network View		112	(5)
Summary		117	(1)
Solutions Fast Track		117	(1)
Frequently Asked Questions		118	(1)
WarDriving and Penetration Testing with Linux		119	(34)
Introduction		120	(1)
Preparing Your System to WarDrive		120	(11)
Preparing the Kernel		120	(1)
Preparing the Kernel for Monitor Mode		120	(3)
Preparing the Kernel for a Global Positioning System		123	(1)
Installing the Proper Tools		124	(1)
Installing Kismet		125	(1)
Installing GPSD		126	(1)
Configuring Your System to WarDrive		127	(4)
WarDriving with Linux and Kismet		131	(7)
Starting Kismet		131	(2)
Using the Kismet Interface		133	(1)
Understanding the Kismet Options		133	(4)
Using a Graphical Front End		137	(1)
Wireless Penetration Testing Using Linux		138	(12)
WLAN Discovery		140	(1)
WLAN Discovery Using Public Source Information		140	(1)
WLAN Encryption		141	(1)
Attacks		141	(1)
Attacks Against WEP		141	(1)
Attacks Against WPA		142	(1)
Attacks Against LEAP		143	(1)
Attacking the Network		144	(1)
MAC Address Spoofing		144	(1)
Deauthentication with Void11		145	(1)
Cracking WEP with the Aircrack Suite		146	(2)
Cracking WPA with the CoWPAtty		148	(1)
Association with the Target Network		148	(2)
Summary		150	(1)
Solutions Fast Track		151	(1)
Frequently Asked Questions		152	(1)
WarDriving and Wireless Penetration Testing with OS X		153	(30)
Introduction		154	(1)
WarDriving with KisMAC		154	(16)
Starting KisMAC and Initial Configuration		154	(1)
Configuring the KisMAC Preferences		155	(1)
Scanning Options		156	(1)
Filter Options		156	(1)
Sound Preferences		157	(3)
Traffic		160	(1)
KisMAC Preferences		160	(2)
Mapping WarDrives with KisMAC		162	(1)
Importing a Map		162	(4)
WarDriving with KisMAC		166	(1)
Using the KisMAC Interface		167	(3)
Penetration Testing with OS X		170	(6)
Attacking WLAN Encryption with KisMAC		171	(1)
Attacking WEP with KisMAC		171	(2)
Reinjection		173	(1)
Attacking WPA with KisMAC		174	(1)
Other Attacks		175	(1)
Bruteforce Attacks Against 40-bit WEP		175	(1)
Wordlist Attacks		175	(1)
Other OS X Tools for WarDriving and WLAN Testing		176	(2)
Summary		178	(1)
Solutions Fast Track		178	(2)
Frequently Asked Questions		180	(3)
Wireless Penetration Testing Using a Bootable Linux Distribution		183	(36)
Introduction		184	(1)
Core Technologies		185	(8)
WLAN Discovery		185	(1)
Choosing the Right Antenna		186	(1)
WLAN Encryption		187	(1)
WEP		188	(1)
WPA/WPA2		188	(1)
EAP		189	(1)
VPN		189	(1)
Attacks		189	(1)
Attacks Against WEP		189	(2)
Attacks Against WPA		191	(1)
Attacks Against LEAP		191	(1)
Attacks Against VPN		192	(1)
Open Source Tools		193	(15)
Footprinting Tools		193	(1)
Intelligence Gathering Tools		194	(1)
User's Network Newsgroups		194	(1)
Google (Internet Search Engines)		194	(1)
Scanning Tools		195	(1)
Wellenreiter		195	(3)
Kismet		198	(2)
Enumeration Tools		200	(1)
Vulnerability Assessment Tools		201	(2)
Exploitation Tools		203	(1)
MAC Address Spoofing		203	(1)
Deauthentication with Void11		203	(2)
Cracking WEP with the Aircrack Suite		205	(3)
Cracking WPA with CoWPAtty		208	(1)
Case Study		208	(6)
Case Study Cracking WEP		209	(3)
Case Study: Cracking WPA-PSK		212	(2)
Further Information		214	(1)
Additional GPSMap Map Servers		215	(1)
Solutions Fast Track		215	(2)
Frequently Asked Questions		217	(2)
Mapping WarDrives		219	(28)
Introduction		220	(1)
Using the Global Positioning System Daemon with Kismet		220	(6)
Installing GPSD		220	(3)
Starting GPSD		223	(1)
Starting GPSD with Serial Data Cable		223	(2)
Starting GPSD with USB Data Cable		225	(1)
Configuring Kismet for Mapping		226	(1)
Enabling GPS Support		226	(1)
Mapping WarDrives with GPSMAP		227	(4)
Creating Maps with GPSMAP		227	(4)
Mapping WarDrives with StumbVerter		231	(13)
Installing StumbVerter		231	(4)
Generating a Map With StumbVerter		235	(1)
Exporting NetStumbler Files for Use with StumbVerter		235	(2)
Importing Summary Files to MapPoint with StumbVerter		237	(5)
Saving Maps with StumbVerter		242	(2)
Summary		244	(1)
Solutions Fast Track		245	(1)
Frequently Asked Questions		246	(1)
Using Man-in-the-Middle Attacks to Your Advantage		247	(36)
Introduction		248	(2)
What is a MITM Attack?		248	(1)
MITM Attack Design		248	(1)
The Target---AP(s)		248	(1)
The Victim---Wireless Client(s)		248	(1)
The MITM Attack Platform		249	(1)
MITM Attack Variables		249	(1)
Hardware for the Attack---Antennas, Amps, WiFi Cards		250	(5)
The Laptop		251	(1)
Wireless Network Cards		251	(1)
Choosing the Right Antenna		252	(1)
Amplifying the Wireless Signal		253	(1)
Other Useful Hardware		254	(1)
Identify and Compromise the Target Access Point		255	(2)
Identify the Target		255	(1)
Compromising the Target		255	(2)
The MITM Attack Laptop Configuration		257	(12)
The Kernel Configuration		258	(1)
Obtaining the Kernel Source		258	(1)
Configure and Build the Kernel		258	(3)
Setting Up the Wireless Interfaces		261	(1)
wlan0 - Connecting to the Target Network		261	(1)
wlan1 - Setting up the AP		261	(1)
IP Forwarding and NAT Using Iptables		262	(1)
Installing Iptables and IP Forwarding		263	(1)
Establishing the NAT Rules		264	(1)
Dnsmasq		265	(1)
Installing Dnsmasq		265	(1)
Configuring Dnsmasq		265	(2)
Apache Hypertext Preprocessor and Virtual Web Servers		267	(2)
Clone the Target Access Point and Begin the Attack		269	(9)
Establish Wireless Connectivity and Verify Services are Started		269	(1)
Start the Wireless Interface		269	(1)
Verify Connectivity to the Target Access Point		270	(1)
Verify Dnsmasq is Running		270	(1)
Verify Iptables is Started and View the Running Rule Sets		271	(1)
Deauthenticate Clients Connected to the Target Access Point		272	(1)
Wait for the Client to Associate to Your Access Point		272	(1)
Identify Target Web Applications		273	(1)
Spoof the Application		274	(1)
Using wget to Download the Target Web Page		274	(1)
Modify the Page		274	(2)
Redirect Web Traffic Using Dnsmasq		276	(2)
Summary		278	(1)
Solutions Fast Track		278	(3)
Frequently Asked Questions		281	(2)
Using Custom Firmware for Wireless Penetration Testing		283	(36)
Choices for Modifying the Firmware on a Wireless Access Point		284	(1)
Software Choices		284	(1)
HyperWRT		284	(1)
DD-WRT		284	(1)
OpenWRT		284	(1)
Hardware Choices		285	(1)
Installing OpenWRT on a Linksys WRT54G		285	(11)
Downloading the Source		286	(1)
Installation and How Not to Create a Brick		287	(1)
Installation via the Linksys Web Interface		288	(2)
Installation via the TFTP Server		290	(3)
Command Syntax and Usage		293	(3)
Configuring and Understanding the OpenWRT Network Interfaces		296	(2)
Installing and Managing Software Packages for OpenWRT		298	(4)
Finding and Installing Packages		299	(3)
Uninstalling Packages		302	(1)
Enumeration and Scanning from the WRT54G		302	(4)
Nmap		302	(2)
Netcat		304	(1)
Tcpdump		304	(2)
Installation and Configuration of a Kismet Drone		306	(4)
Installing the Package		306	(1)
Configuring the Kismet Drone		307	(1)
Making the Connection and Scanning		307	(3)
Installing Aircrack to Crack a WEP Key		310	(4)
Mounting a Remote File System		310	(1)
Installing the Aircrack Tools		311	(3)
Summary		314	(1)
Solutions Fast Track		315	(3)
Frequently Asked Questions		318	(1)
Wireless Video Testing		319	(24)
Introduction		320	(1)
Why Wireless Video?		320	(1)
Let's Talk Frequency		320	(1)
Let's Talk Format		320	(1)
Let's Talk Terms		321	(1)
Wireless Video Technologies		321	(6)
Video Baby Monitors		322	(2)
Security Cameras		324	(1)
X10.com		324	(1)
D-Link		325	(1)
Others		326	(1)
Tools for Detection		327	(12)
Finding the Signal		327	(1)
Scanning Devices		328	(1)
ICOM IC-R3		329	(5)
X10 Accessories		334	(2)
WCS-99		336	(2)
The Spy Finder		338	(1)
Summary		339	(1)
Solutions Fast Track		339	(2)
Frequently Asked Questions		341	(2)
Appendix A Solutions Fast Track		343	(18)
Appendix B Device Driver Auditing		361	(24)
Introduction		362	(1)
Why Should You Care		363	(3)
What is a Device Driver?		366	(17)
Windows		367	(1)
OS X		367	(1)
Linux		368	(1)
Setting Up a Test Environment		368	(1)
WiFi		369	(1)
Bluetooth		370	(1)
Testing the Drivers		371	(1)
WiFi		372	(6)
Bluetooth		378	(2)
Looking to the Future		380	(3)
Summary		383	(2)
Index		385

Chris Hurley is a Senior Penetration Tester in the Washington, DC area. He has more than 10 years of experience performing penetration testing, vulnerability assessments, and general INFOSEC grunt work. He is the founder of the WorldWide WarDrive, a four-year project to assess the security posture of wireless networks deployed throughout the world. Chris was also the original organizer of the DEF CON WarDriving contest. He is the lead author of WarDriving: Drive, Detect, Defend (Syngress Publishing, ISBN: 19318360305). He has contributed to several other Syngress publications, including Penetration Tester's Open Source Toolkit (ISBN: 1-5974490210), Stealing the Network: How to Own an Identity (ISBN: 1597490067), InfoSec Career Hacking (ISBN: 1597490113), and OS X for Hackers at Heart (ISBN: 1597490407). He has a BS from Angelo State University in Computer Science and a whole bunch of certifications to make himself feel important. Russ Rogers (CISSP, CISM, IAM, IEM, Hon. Sc.D.), author of the popular "Hacking a Terror Network: The Silent Threat of Covert Channels" (Syngress, ISBN: 978-1-928994-98-5), co-author of multiple books, including the best-selling "Stealing the Network: How to Own a Continent" (Syngress, ISBN: 978-1-931836-05-0) and "Network Security Evaluation Using the NSA IEM" (Syngress, ISBN: 978-1-59749-035-1), and former editor-in-chief of The Security Journal, is currently a penetration tester for a federal agency and the co-founder and chief executive officer of Peak Security, Inc., a veteran-owned small business based in Colorado Springs, CO. Russ has been involved in information technology since 1980 and has spent the past 20 years working as both an IT and InfoSec consultant. Russ has worked with the U.S. Air Force (USAF), National Security Agency (NSA), Defense Information Systems Agency (DISA), and other federal agencies. He is a globally renowned security expert, speaker, and author who has presented at conferences around the world in Amsterdam, Tokyo, Singapore, Sćo Paulo, Abu Dhabi, and cities all over the United States. Russ has an honorary doctorate of science in information technology from the University of Advancing Technology, a master's degree in computer systems management from the University of Maryland, a bachelor of science degree in computer information systems from the University of Maryland, and an associate's degree in applied communications technology from the Community College of the Air Force. He is a member of ISSA and (ISC)2® (CISSP). Russ also teaches at and fills the role of professor of network security for the University of Advancing Technology (www.uat.edu). Frank Thornton runs his own technology consulting firm, Blackthorn Systems, which specializes in information security and wireless networks. His specialties include wireless network architecture, design, and implementation, as well as network troubleshooting and optimization. An interest in amateur radio helped him bridge the gap between computers and wireless networks. Having learned at a young age which end of the soldering iron was hot, he has even been known to repair hardware on occasion. In addition to his computer and wireless interests, Frank was a law enforcement officer for many years. As a detective and forensics expert he has investigated approximately one hundred homicides and thousands of other crime scenes. Combining both professional interests, he was a member of the workgroup that established ANSI Standard "ANSI/NIST-CSL 1-1993 Data Format for the Interchange of Fingerprint Information."